Re: Secure file transfer

Gerald Vogt wrote:

> On Dec 18, 3:34 am, "Sebastian G." wrote:
>> Unruh wrote:
>>>> SSL. SSH/SFTP only protects the data transfer channel, not the command channel.
>>> No idea what you are talking about. ssh encrypts everything passing between
>>> the two computers.
>> We're talking about SFTP, which is a variant how to use SSH to secure the
>> FTP protocol. In the SFTP setup, the protection by SSH is only applied to
>> the data transfer channel.
>
> Do you have any URL to some documentation of this "SFTP" protocol?




Oh, and while we're at it:
, which discussed the difference between
implicit and explicit SSL mode on FTP-SSL.

Re: Secure file transfer

On Dec 18, 8:17 am, "Sebastian G." wrote:
> Gerald Vogt wrote:
> > On Dec 18, 3:34 am, "Sebastian G." wrote:
> >> Unruh wrote:
> >>>> SSL. SSH/SFTP only protects the data transfer channel, not the command channel.
> >>> No idea what you are talking about. ssh encrypts everything passing between
> >>> the two computers.
> >> We're talking about SFTP, which is a variant how to use SSH to secure the
> >> FTP protocol. In the SFTP setup, the protection by SSH is only applied to
> >> the data transfer channel.
>
> > Do you have any URL to some documentation of this "SFTP" protocol?
>
>

This paragraph is titled "FTP over SSH" and not "SFTP". And it also
says:

"FTP over SSH is sometimes referred to as secure FTP; this should not
be confused with other methods of securing FTP, such as with SSL/TLS
(FTPS). Other methods of transferring files using SSH that are not
related to FTP include SFTP and SCP; in each of these, the entire
conversation (credentials and data) is always protected by the SSH
protocol."

SFTP is something else. It protects the "entire" conversation. Nowhere
in this wikipedia article I find information that suggests "SSH/SFTP"
or "SFTP" is this "FTP over SSH" mentioned in the article.

Moreover, "FTP over SSH" is the protection of the command channel. You
simply tunnel port 21 to the server. The return channel (i.e. the data
channel) remains unprotected. This is in contrast to your former
statement

"SSL encrypts and authenticates both command and data channel, SSH/
SFTP only the latter."

Summarizing the wikipedia article:

* FTP over SSH aka Secure FTP protects only the command channel. Not
the data channel.
* FTPS aka FTP over SSL is something different and protects the whole
conversation.
* SFTP is something different and protects the whole conversation.

There is no information which says that SSH/SFTP or SFTP is what you
claim it is nor that it is unsecure nor that any data is sent
unencrypted.

It looks to me as if you write about FTP over SSH. This was nowhere
mentioned. SSH/SFTP was mentioned in the OP. But that is something
completely different unless you have evidence the Core FTP does "FTP
over SSH" for what is calls "SSH/SFTP".

> Oh, and while we're at it:
> , which discussed the difference between
> implicit and explicit SSL mode on FTP-SSL.

That one says "FTP over SSH (no acronym)" and otherwise says nothing
about it or SFTP.

Thus, so far both protocols in the OP - SSH/SFTP and AUTH SSL - are
secure, don't transmit unencrypted data. They are both something
completely different as the former uses a different protocol from the
latter. Only the latter is derived from FTP while the former uses its
own protocol which is not FTP.

This brings us back to the original question in the OP:

"In Core FTP, is it better to use AUTH SSL or SSH/SFTP?"

As your original answer applies to FTP over SSH and not to SSH/SFTP we
still have to discuss this issue. So far, I think both are secure.

Gerald